{ hostAddress
, localAddress
, containerBackupCfg
, sshPort ? containerBackupCfg.portInt
}: {
  config = { config, pkgs, lib, ... }: {
    system.stateVersion = "21.11"; # Did you read the comment?

    imports = [
      ../profiles/containers/configuration.nix
    ];

    networking.firewall.enable = false;

    services.ddclientovh = {
        enable = true;
        domain = containerBackupCfg.addr;
    };

    services.openssh.enable = true;

    users.extraUsers."${containerBackupCfg.user}" = {
      uid = 2000;
      group = containerBackupCfg.group;
      shell = pkgs.bashInteractive;
      home = "/${containerBackupCfg.targetPath}";
      openssh.authorizedKeys.keys = [
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDNI3H0BRSYOZ/MbTs9J80doJwSd1HymFOP5quNt0J48vxZ5FPVrT2FHpQiNrCcYbCKRsU4X8AiGUHiXC0PapQQ3JDkqp6WZoqBNDx6BI7RadyH1TqVQPlou3pQmCAogzfBInruR53YTDmQqXiPwfM0okPOXgiBNjDfZXOX4+CyUfkmZZwASoicTInqWGkn1sFnh4tyXIkgWflg0njlVmfkVvH71+evvKLYHtoNpVXazkQ0SXbyuW5f3mSta7TNkpC3HbBm+4n+WxYGySrlRLWQhTo+aoWUKk9h5zvECDNpwRtbqzt+bA9nKrdg180ceu8hruwvWNiC6PPA2GW9Z1+VKROviGu1C3dliE/pPCBtK+ZoRVv2CGE+pmAuQsB9Nif9tk5tY6HJhuLNxKYiMfQkiLsDYv6KdZXUIVK/4BIDkZuQNnjhdOQBLnea0ANOhutA9gnjxnsd3UT6ovfazg5gud7n3u4yBtzjTkRrqWZ63eM1NmUVOgMWHQ715pV+hJfOFGqzRBEe3g/p3bWNgpROBYJbG1H8l9DN7emG4FGWsb1HeNFwQ5lS0Zsezb7qzahr4vSmHNugVw7w8ONt5dPbPI9wQnWvkkuHH76P/NYy6OC6lHrN1rXyA1okqdPr06YAZnCot+Pqdgn/ijxgp06J3dtkhin+Q7PoQbGff3ERIw== bkp"
      ];

      packages = with pkgs; [
        btrfsProgs
        # btrbk
      ];

      isSystemUser = true;
    };

    security.sudo = {
      enable = true;
      extraRules = [
        { 
          users = [ "bkp" ]; 
          commands = [
            { command = "/etc/profiles/per-user/bkp/bin/btrfs"; options = [ "NOPASSWD" ]; }
            { command = "/run/current-system/sw/bin/readlink"; options = [ "NOPASSWD" ]; }
            { command = "/run/current-system/sw/bin/test"; options = [ "NOPASSWD" ]; }
          ];
        }
      ];
    };
  };

  autoStart = true;

  bindMounts = {
    "/${containerBackupCfg.targetPath}" = {
      hostPath = "/var/lib/container-volumes/backup-target";
      isReadOnly = false;
    };
  };

  privateNetwork = true;
  forwardPorts = [
    {
      # ssh
      containerPort = 22;
      hostPort = sshPort;
      protocol = "tcp";
    }
  ];

  inherit hostAddress localAddress;
}